Incident Response Plan (Summary)

How we detect, contain, eradicate, recover from and learn from security incidents - and the regulator-notification clocks we run against (NIS2 24h/72h, ICO 72h, Ofcom).

Version

v1.0

Effective

22 April 2026

Last reviewed

22 April 2026

Jurisdiction

United Kingdom + EEA

Owner

CISO

Review cycle

Annual, plus on material change

NIS2 Art. 23UK GDPR Art. 33Telecoms Security Act 2021

1. Phases#

Detect - Abel layer 22 fuses signals to a single SOC view.
Triage - severity rated 1–4 within 15 minutes.
Contain - quarantine via Abel layer 20.
Eradicate - patch, rotate keys, revoke tokens.
Recover - restore service and validate.
Learn - post-incident review within 14 days; controls updated.

2. Regulator clocks#

Regime	Notification window	Recipient
NIS2 early warning	24 hours from awareness	National CSIRT
NIS2 incident notification	72 hours	National CSIRT
UK GDPR personal-data breach	72 hours	ICO
Ofcom telecoms security incident	As required by TSA Code of Practice	Ofcom
Customers under DPA	24 hours (contractual)	Affected controllers

Named owners, written charters, scheduled reviews, board oversight.

3. Roles#

Incident Commander: CISO or delegate.
Comms Lead: Head of Customer Operations.
Legal Lead: Head of Compliance.
Engineering Lead: on-call SRE.

4. Post-incident review#

Blameless. Within 14 days. Findings go to the Security & Resilience Committee and the Risk & Compliance Committee. Material lessons published externally where customers were affected.

5. Review & ownership#

Owner: CISO. Tested at least twice a year. Reviewed annually.

Version history

Version	Date	Change
v1.0	22 April 2026	Initial publication.

This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.